QuickLens Chrome Extension Turns Rogue with Script Injection Attack
3 min. read 
Published on
A Chrome extension named QuickLens transformed into a malicious tool after a quiet ownership change. It started injecting scripts and stripping browser security headers from all visited sites. Over 7,000 users faced risks from this silent update pushed on February 17, 2026.
QuickLens originally acted as a Google Lens wrapper for browser image searches. Users could capture screens, select areas, search YouTube frames, or check Amazon products. Google even gave it a Featured badge for solid performance.
Published on October 9, 2025, the extension hit ExtensionHub for sale just two days later. Annex Security researchers spotted the listing early. On February 1, 2026, ownership shifted to a shady entity tied to supportdoodlebuggle.top, with a fake LLC identity.
Version 5.8 brought the real danger. It added a command-and-control server at api.extensionanalyticspro.top. New permissions for declarativeNetRequestWithHostAccess and webRequest slipped past most users. A rules.json file wiped key protections like Content-Security-Policy, X-Frame-Options, and X-XSS-Protection.
Attack Mechanics
The core trick uses a 1×1 transparent GIF image for payload delivery. Here’s how it works in steps.
- C2 server sends JavaScript as string array to cached-agents-data in local storage.
- Extension reads this on every page load.
- Creates hidden base64 GIF image with onload handler running the script.
- CSP removal lets inline handlers execute freely.
Attackers gain full page access. They steal session tokens, grab form data, scrape content, and exfiltrate to remote servers. The extension still looks normal, masking the threat.
Key Indicators
| Type | Value |
|---|---|
| Extension ID | kdenlnncndfnhkognokgfpabgkgehodd |
| Extension Name | QuickLens – Search Screen with Google Lens |
| Malicious Version | 5.8 |
| C2 Domain | api.extensionanalyticspro.top |
| Developer Email | [email protected] |
| Privacy Policy | kowqlak.lat |
| SHA-256 Hash | fa3d0c8c8e9f3dacaa9f34e42ad63dceeba16689e055b90e9a903fa274d35df0 |
| Removal Date | February 17, 2026 |
Static scans miss this attack. Payloads load at runtime only. Names like safelyProcessElement blend with legit code.
Impact and Detection
Sites lose all header defenses. Clickjacking, XSS, and cross-origin attacks become easy. Data theft happens silently across sessions.
Organizations need extension blocklists. Watch for permission jumps, especially net request rules. Users should audit extensions weekly and reject odd prompts.
Google removed it post-discovery. But similar sales on ExtensionHub continue. Verify ownership changes fast.
FAQ
Chrome extension for Google Lens image search with screen capture tools. Had 7,000 users.
Ownership sold October 2025, rogue update February 17, 2026 via version 5.8.
Hides script in transparent GIF onload to run malicious code after CSP removal.
Content-Security-Policy, X-Frame-Options, X-XSS-Protection from all responses.
Check ownership shifts, new net permissions, vague privacy policies.
Yes, removed February 17, 2026. Block the ID to stay safe.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages